From Just-in-Time Access to Just-in-Time Trust

The Problem: 144 NHIs Per Human, Zero Dynamic Trust

Lawrence Pingree's recent piece on Just-in-Time Trust (JIT-TRUST) names something every security team feels but few articulate precisely: traditional identity governance was built for humans clicking through approval workflows, not autonomous agents making thousands of API calls per minute.

The numbers are stark. Non-human identities now outnumber human users 144 to 1. Service accounts, API keys, OAuth tokens, and AI agents operate at machine speed with standing privileges that no human ever reviews. Legacy IAM, IGA, and PAM systems treat these identities as an afterthought—if they see them at all.

Pingree describes the resulting visibility gap: hidden, disparate identities scattered across siloed systems that traditional tools cannot unify or monitor.

We've been building against this exact problem. Here's how Setu's Identity Risk Graph platform maps to the JIT-TRUST framework—not as a theoretical exercise, but as shipping code.

---

Principle 1: Dynamic Trust Scoring Over Static Policies

What JIT-TRUST prescribes

The framework introduces a Weighted Intent Score (WIS) that continuously evaluates trust:

WIS = (Objective Clarity × Contextual Appropriateness) / (Risk Magnitude × Time Expiration)

When WIS drops below a safety threshold, the system triggers graduated responses: increased friction, privilege reduction, flagging, or full session suspension.

How Setu implements this

Setu's Zero Trust Score is a composite 0–100 signal computed from six weighted dimensions in real time:

Each signal has a configurable expiration window (default: 5 minutes for trust refresh, 15 minutes for signal TTL). The score is continuously recomputed, not evaluated once at login. A score below 30 triggers critical-level response; below 50 triggers high-level.

This maps directly to Pingree's Continuous Adaptive Trust (CAT) evolution—where access is a state continuously earned rather than granted once. Our graduated response chain mirrors the JIT-TRUST escalation ladder:

1. Increase friction — Step-up MFA challenge for the specific action
2. Privilege reduction — Temporarily restrict sensitive resource access
3. SOC alerting — Real-time notification to security operations
4. Session suspension — Full termination if deviation is severe

---

Principle 2: ECI as the Core Risk Metric

What JIT-TRUST prescribes

The framework emphasizes that access decisions must incorporate risk magnitude—the potential harm if an action is malicious. Static role assignments tell you nothing about actual exposure.

How Setu implements this

ECI (Expected Compromise Impact) is Setu's shorthand for a per-identity exposure score: a personalized-PageRank derivative biased by the crown-jewel teleport set, with capacitance weighting per identity defense posture. The components are well-known propagation methods; the production composition—crown-jewel teleport, capacitance weighting, recency-decayed edge weights—is ours. The output is a 0–100 score weighted by five factors:

Every identity—human and non-human—gets an ECI score. An engineer with read access to staging scores differently from a service account with write access to production secrets. The score drives every downstream decision: remediation priority, SLA timelines, automation approval thresholds.

For NHIs specifically, Setu applies a Credential Hygiene Risk Modifier (1.0x to 3.0x) that amplifies the structural ECI based on credential health:

• Rotation risk (30% weight): How old is this credential? Never-rotated keys get maximum penalty.
• Exposure risk (25%): Has this credential appeared in breach data or infostealer logs?
• Scope risk (20%): Is the credential overprivileged for its purpose?
• Ownership risk (15%): Is there clear attribution, or is this an orphaned key?
• Authentication risk (10%): What auth mechanisms protect it?

When three or more factors score above 0.8, a compounding bonus pushes the modifier higher. A service account with a hardcoded, never-rotated, orphaned API key can score 3x its structural ECI—surfacing risks that static permission analysis would miss entirely.

---

Principle 3: Authority Mapping and Micro-Perimeters

What JIT-TRUST prescribes

Agents should operate strictly within pre-authorized micro-perimeters around access, tools, and execution scope. Permission should be tied to the agent's current behavioral role, not static credentials.

How Setu implements this

Setu's graph-based attack path analysis builds a complete map of what each identity can actually reach—not just what it's been granted on paper. The identity exposure graph models:

• Entities: Human identities across AD, Azure AD, AWS IAM, Okta, Google Workspace. Non-human identities across 30+ platforms (service accounts, API keys, OAuth apps, AI agents, CI/CD tokens).
• Relationships: Group membership, role assignment, permission grants, impersonation paths, assume-role chains, delegation capabilities.
• Resources: Cloud infrastructure, SaaS applications, databases, secrets vaults, production systems.

This graph enables crown jewel reachability analysis: for every identity, Setu computes the shortest attack paths to your most critical resources. If a low-privilege identity can reach a production database through three hops of role assumption and group membership, that path is visible—and its ECI contribution is quantified.

The JIT Access module enforces micro-perimeters operationally:

• Request-and-approval workflows with configurable approval layers
• Time-bound access with automatic expiration and extension limits
• Session recording for sensitive operations with command logging
• Dangerous command detection via regex-based blocking during JIT sessions
• Automatic termination on policy violations

Setu also performs Standing Privilege Discovery: continuously scanning for permanent privileged access and scoring it by privilege type, days since last use, production access status, and grant source clarity. Every standing privilege gets a recommendation: convert to JIT, remove, review, or accept—with the expected ECI reduction computed upfront.

---

Principle 4: Semantic Drift and Behavioral Anomaly Detection

What JIT-TRUST prescribes

The framework introduces semantic drift detection: monitoring for subtle goal manipulation where an agent's actions technically look logical but deviate from the stated objective. It also describes a Digital Pulse—real-time monitoring of interaction patterns (command frequency, navigation patterns, workflow cadence) that triggers access revocation on anomalous spikes.

How Setu implements this

Setu's Continuous Threat Exposure Management (CTEM) pipeline implements drift detection across the identity surface:

Identity Drift Detection compares current identity configurations against approved baselines. When an identity's permissions, group memberships, or access patterns change outside an approved workflow, the system flags the drift and can auto-remediate—reverting to baseline and validating that permissions match the approved state.

Behavioral Anomaly Correlation (running every 5 minutes via the scheduled worker) applies ML models to detect:

• Access patterns that deviate from established baselines
• Privilege escalation sequences—identities accumulating access through incremental, technically-legitimate changes
• Lateral movement indicators—identities accessing resources thematically inconsistent with their role
• Temporal anomalies—access at unusual hours, frequency spikes, or cadence changes

Attack Path Analysis adds a graph dimension: when behavioral anomalies are detected, Setu evaluates whether the anomalous identity sits on an active attack path to crown jewels. An anomalous access pattern from an identity with an ECI of 15 gets a different response than the same pattern from an identity scoring 85.

---

Principle 5: Ephemeral Privilege and Consumable Access

What JIT-TRUST prescribes

Access should function like gas on a blockchain: agents receive short-term passes with spending limits. Each resource use consumes budget. Depletion or expiration forces re-authorization.

How Setu implements this

Setu's JIT Access module implements the ephemeral access pattern with operational maturity:

• Template-based access grants for common scenarios (AWS role assumption, Azure PIM activation, GCP IAM binding, AD group membership, database access)
• Break-glass access for emergencies—immediate provisioning with full audit trail and mandatory post-incident review
• Ticket integration (ServiceNow, Jira, Zendesk)—linking each access grant to a business justification that becomes part of the audit record
• Risk-based auto-approval: Low-risk requests from known roles can be auto-approved, while high-ECI requests require human approval

The closed-loop automation engine is what makes this operationally real. After any access change, the system runs a validation cycle:

1. Detect the exposure (excessive permissions, drift, high ECI)
2. Select the appropriate remediation playbook
3. Execute the fix (revoke unused permissions, disable dormant account, enforce MFA)
4. Validate by re-measuring ECI—did it actually decrease?
5. Rollback automatically if validation fails

This detect→execute→validate→rollback loop means remediation is never fire-and-forget. If revoking a permission breaks a workflow, the system detects the validation failure and reverts—maintaining the balance between security and operational continuity.

---

Principle 6: Unified Cryptographic Identity and NHI Governance

What JIT-TRUST prescribes

Every user, agent, and system component must possess a unified, cryptographically verifiable identity. Without this foundation, fragmented identity systems enable both autonomous agent exploitation and adversarial hijacking.

How Setu implements this

Setu's NHI Catalog provides unified discovery and governance across 30+ platforms:

• Cloud IAM: AWS IAM users/roles, Azure AD service principals, GCP service accounts
• Identity Providers: Okta service accounts, Auth0 machine-to-machine apps
• DevOps: GitHub/GitLab tokens, CI/CD service connections (CircleCI, Jenkins)
• Infrastructure: Kubernetes service accounts, Terraform Cloud tokens, Vault AppRoles
• SaaS: Datadog, PagerDuty, Stripe, Twilio API keys
• AI/ML: Model serving tokens, inference API keys, agent credentials

Each NHI gets:

• An ECI score with the credential hygiene modifier
• Ownership attribution (or flagged as orphaned if no owner can be determined)
• Usage tracking (last used, frequency, access patterns)
• Rotation compliance monitoring (age, policy adherence)
• Exposure scanning against breach databases

The Samyoga Session Authority extends this to browser-based sessions across three models: endpoint browser (local), remote browser isolation (cloud), and isolation browser (sandboxed). Each session carries security zone classification (trusted/untrusted/isolated), encrypted cookie management, and MFA verification tracking with time windows.

---

Where the Industry Needs to Go Next

Pingree's JIT-TRUST framework is directionally correct—especially in identifying the inadequacy of static policies for governing autonomous agents. Setu implements many of the core principles today. But there are frontiers where the entire industry has work to do:

Intent-Aware Access Decisions

JIT-TRUST's most ambitious proposal is intent and semantic awareness: extracting purpose from LLM prompts and lateral agent communications to inform access decisions. Setu's behavioral anomaly detection operates on access patterns and graph topology, but true intent extraction—understanding why an agent is requesting access, not just what it's accessing—requires integration with prompt firewalls and generative application firewalls that the market is only beginning to build.

Agent-to-Agent Delegation Chain Analysis

Today, Setu maps NHI-to-resource relationships. The next frontier is agent-to-agent delegation chains: when Agent A delegates to Agent B using B's credentials to invoke Agent C, the ECI isn't any single identity's score—it's the compound exposure across the entire chain. This requires a new graph edge type and a new scoring model for transitive trust.

Shared Intent Intelligence

Pingree's concept of Intent OSINT (IOINT)—sharing behavioral signals across organizations like fraud prevention networks—is compelling but requires standardization that doesn't exist yet. The closest analog today is threat intelligence sharing via STIX/TAXII, but extending this to agentic intent patterns will require new taxonomies and data formats.

---

The Bottom Line

JIT-TRUST correctly identifies that identity governance must evolve from gate-based (grant access, then forget) to field-based (continuously measure exposure, adapt in real time, remediate automatically). This is exactly what Setu's Identity Risk Graph platform delivers:

• Not just who has access, but what they can reach — graph-based ECI scoring
• Not just granting access, but continuously earning it — composite trust scoring with 5-minute refresh
• Not just detecting problems, but proving fixes work — closed-loop automation with ECI validation
• Not just governing humans, but governing every identity — unified NHI catalog across 30+ platforms with credential hygiene amplification

The future of identity security isn't about building higher walls. It's about making every identity continuously prove it deserves the access it has—and automatically reducing exposure when it can't.

---

Setu is an Identity Risk Graph platform that models identity-driven attack paths, quantifies Expected Compromise Impact, and auto-remediates exposure across IAM, cloud, and network control planes. Learn more at samyoga.tech.